From 1e9c1e46eed146d570387d11c60c6281226f403e Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Mon, 3 Mar 2025 11:20:25 +0000 Subject: [PATCH] [Security Solution][Detection Engine] tests --- .../esql/trial_license_complete_tier/esql.ts | 11 +++++++++-- .../trial_license_complete_tier/esql_suppression.ts | 8 +++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts index cc5fb11375a4d..bfb9caab02641 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts @@ -407,6 +407,7 @@ export default ({ getService }: FtrProviderContext) => { expect.arrayContaining(['part-0', 'part-1', 'test-1']) ); }); + it('should generate alert per expanded row when expanded field renamed', async () => { const id = uuidv4(); const interval: [string, string] = [ @@ -443,6 +444,9 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).toBe(3); }); + + // When expanded field dropped, ES|QL response rows will be identical. + // In this case, identical duplicated alerts won't be created it('should NOT generate alert per expanded row when expanded field dropped', async () => { const id = uuidv4(); const interval: [string, string] = [ @@ -479,7 +483,8 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).toBe(2); }); - it('should generate alert per expanded row when mv_expand multiple used', async () => { + + it('should generate alert per expanded row when mv_expand used multiple times', async () => { const id = uuidv4(); const interval: [string, string] = [ '2020-10-28T06:00:00.000Z', @@ -525,6 +530,7 @@ export default ({ getService }: FtrProviderContext) => { expect.arrayContaining([undefined, 'host-0', 'host-1', 'host-2', 'host-3']) ); }); + it('should deduplicate alerts generated from expanded rows', async () => { const id = uuidv4(); // document will fall into 2 rule execution windows @@ -558,6 +564,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).toBe(2); }); + it('should deduplicate alerts generated form expanded rows when expanded field renamed', async () => { const id = uuidv4(); // document will fall into 2 rule execution windows @@ -594,7 +601,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).toBe(2); }); - it('should deduplicate alerts from expanded rows when expanded field dropped', async () => { + it('should deduplicate alert when expanded field dropped', async () => { const id = uuidv4(); // document will fall into 2 rule execution windows const doc1 = { diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts index 1c4e57e6ed813..624925c87f7f1 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql_suppression.ts @@ -2142,6 +2142,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).toBe(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 2); }); + it('should suppress alerts generated from expanded rows when expanded field renamed', async () => { const id = uuidv4(); const interval: [string, string] = ['2020-10-28T06:00:00.000Z', '2020-10-28T06:10:00.000Z']; @@ -2181,7 +2182,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 2); }); - it('should NOT generate alert per expanded row when expanded field dropped', async () => { + it('should NOT generate alerts per expanded row when expanded field dropped', async () => { const id = uuidv4(); const interval: [string, string] = ['2020-10-28T06:00:00.000Z', '2020-10-28T06:10:00.000Z']; const documents = [ @@ -2220,7 +2221,7 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 1); }); - it('should suppress on interval alerts, created from expanded rows', async () => { + it('should suppress alerts from expanded rows on interval', async () => { const id = uuidv4(); const doc1 = { id, @@ -2268,7 +2269,8 @@ export default ({ getService }: FtrProviderContext) => { expect(previewAlerts.length).toBe(1); expect(previewAlerts[0]._source).toHaveProperty([ALERT_SUPPRESSION_DOCS_COUNT], 3); }); - it('should suppress on interval alerts, created from expanded rows when expanded field renamed', async () => { + + it('should suppress alerts on interval when expanded field renamed', async () => { const id = uuidv4(); const doc1 = { id,